Compare revisions

ffa2674d · ffa2674d · ffa2674d · ffa2674d · ffa2674d · ffa2674d
--- a/playbooks/rsync.net.yml
+++ b/playbooks/rsync.net.yml
- name: setup rsync.net account
+- name: Setup rsync.net account
  hosts: localhost
  gather_facts: false
  vars_files:

--- a/playbooks/security.archlinux.org.yml
+++ b/playbooks/security.archlinux.org.yml
- name: setup security.archlinux.org
+- name: Setup security.archlinux.org
  hosts: security.archlinux.org
  remote_user: root
  roles:

--- a/playbooks/state.archlinux.org.yml
+++ b/playbooks/state.archlinux.org.yml
- name: setup state.archlinux.org (terraform state store)
+- name: Setup state.archlinux.org (terraform state store)
  hosts: state.archlinux.org
  remote_user: root
  roles:

--- a/playbooks/tasks/fetch-borg-keys.yml
+++ b/playbooks/tasks/fetch-borg-keys.yml
- name: prepare local storage directory
+- name: Prepare local storage directory
  hosts: localhost
  tasks:
-    - name: create borg-keys directory
-      file: path="{{ playbook_dir }}/../../borg-keys/" state=directory  # noqa 208
+    - name: Create borg-keys directory  # noqa risky-file-permissions
+      file: path="{{ playbook_dir }}/../../borg-keys/" state=directory

- name: fetch borg keys
+- name: Fetch borg keys
  hosts: borg_clients
  tasks:
-    - name: fetch borg key
+    - name: Fetch borg key
      command: "/usr/local/bin/borg key export :: /dev/stdout"
      register: borg_key
      changed_when: "borg_key.rc == 0"

-    - name: fetch borg offsite key
+    - name: Fetch borg offsite key
      command: "/usr/local/bin/borg-offsite key export :: /dev/stdout"
      register: borg_offsite_key
      changed_when: "borg_offsite_key.rc == 0"

-    - name: save borg key
+    - name: Save borg key
      shell: gpg --batch --armor --encrypt --output - >"{{ playbook_dir }}/../../borg-keys/{{ inventory_hostname }}.gpg" {% for userid in vault_super_pgpkeys | flatten %}--recipient {{ userid }} {% endfor %}
      args:
        stdin: "{{ borg_key.stdout }}"
@@ -26,7 +26,7 @@
      register: gpg_key
      changed_when: "gpg_key.rc == 0"

-    - name: save borg offsite key
+    - name: Save borg offsite key
      shell: gpg --batch --armor --encrypt --output - >"{{ playbook_dir }}/../../borg-keys/{{ inventory_hostname }}-offsite.gpg" {% for userid in vault_super_pgpkeys | flatten %}--recipient {{ userid }} {% endfor %}
      args:
        stdin: "{{ borg_offsite_key.stdout }}"

--- a/playbooks/tasks/include/reencrypt-vault-key.yml
+++ b/playbooks/tasks/include/reencrypt-vault-key.yml
- name: check if moreutils is installed
+- name: Check if moreutils is installed
  pacman: name=moreutils state=present

- name: reencrypt vault {{ vault_id }} key
+- name: Reencrypt vault {{ vault_id }} key
  shell: |
    set -eo pipefail
    gpg --decrypt --batch --quiet "{{ playbook_dir }}/../../misc/vault-{{ vault_id }}-password.gpg" \

--- a/playbooks/tasks/include/upgrade-server.yml
+++ b/playbooks/tasks/include/upgrade-server.yml
- name: ensure latest keyring
+- name: Ensure latest keyring
  pacman:
    name: archlinux-keyring
    state: latest
    update_cache: yes

- name: upgrade all packages
+- name: Upgrade all packages
  pacman:
    upgrade: yes
  register: pacman_upgrade

- name: stop if no packages were upgraded
+- name: Stop if no packages were upgraded
  meta: end_host
  when: pacman_upgrade is not changed

- name: check for running builds
+- name: Check for running builds
  block:
-    - name: list build-related processes
+    - name: List build-related processes
      command: pgrep -x 'mkarchroot|makechrootpkg|systemd-nspawn'
      register: pgrep
      ignore_errors: true

-    - name: abort reboot with running builds
+    - name: Abort reboot with running builds
      meta: end_host
      when: pgrep is succeeded
  when: "'buildservers' in group_names"


- name: check for active borg backup jobs
+- name: Check for active borg backup jobs
  block:
-    - name: check if /backup exists
+    - name: Check if /backup exists
      stat: path=/backup
      register: backup_mountdir

-    - name: abort reboot when borg backup is running
+    - name: Abort reboot when borg backup is running
      meta: end_host
      when: backup_mountdir.stat.exists
  when: "'borg_clients' in group_names"

- name: gemini pre-reboot checks
+- name: Gemini pre-reboot checks
  block:
-    - name: list logged on users
+    - name: List logged on users
      command: who
      register: who

-    - name: abort reboot with logged on users
+    - name: Abort reboot with logged on users
      meta: end_host
      when:
        - who is changed
        - who.stdout_lines|length > 1

-    - name: stop arch-svntogit.timer
+    - name: Stop arch-svntogit.timer
      service: name=arch-svntogit.timer state=stopped

-    - name: wait for svntogit to finish
+    - name: Wait for svntogit to finish
      wait_for:
        path: /srv/svntogit/update-repos.sh.lock
        state: absent
  when: inventory_hostname == "gemini.archlinux.org"

- name: reboot
+- name: Reboot
  reboot:
--- a/playbooks/tasks/install_arch.yml
+++ b/playbooks/tasks/install_arch.yml
 # This script is for provisioning a server for first boot.
 # Care: It is not idempotent by design.

- name: install_arch
+- name: Install arch
  hosts: all
  remote_user: root
  roles:

--- a/playbooks/tasks/pacman-website.yml
+++ b/playbooks/tasks/pacman-website.yml
@@ -8,13 +8,13 @@
      tempfile: state=directory suffix=pacman
      register: tempdir

-    - name: fetch pacman tarball
+    - name: Fetch pacman tarball
      get_url: url=https://sources.archlinux.org/other/pacman/pacman-{{ pacman_version }}.tar.xz dest={{ tempdir.path }}/pacman.tar.xz

-    - name: unpack tarball
+    - name: Unpack tarball
      unarchive: src={{ tempdir.path }}/pacman.tar.xz dest={{ tempdir.path }}

-    - name: build website
+    - name: Build website
      command: "{{ item }}"
      args:
        chdir: "{{ tempdir.path }}/pacman-{{ pacman_version }}"
@@ -23,10 +23,10 @@
        - ninja -C build doc/website.tar.gz

    - block:
-      - name: create website directory
+      - name: Create website directory
        file: state=directory owner=root group=root mode=0755 path={{ pacman_dir }}

-      - name: upload website
+      - name: Upload website
        unarchive:
          src: "{{ tempdir.path }}/pacman-{{ pacman_version }}/build/doc/website.tar.gz"
          dest: "{{ pacman_dir }}"

--- a/playbooks/tasks/reencrypt-vault-default-key.yml
+++ b/playbooks/tasks/reencrypt-vault-default-key.yml
- name: reencrypt vault default key
+- name: Reencrypt vault default key
  hosts: localhost
  tasks:
-    - name: reencrypt vault default key
+    - name: Reencrypt vault default key
      include_tasks: include/reencrypt-vault-key.yml
      vars:
        vault_id: default

--- a/playbooks/tasks/reencrypt-vault-super-key.yml
+++ b/playbooks/tasks/reencrypt-vault-super-key.yml
- name: reencrypt vault super key
+- name: Reencrypt vault super key
  hosts: localhost
  tasks:
-    - name: reencrypt vault super key
+    - name: Reencrypt vault super key
      include_tasks: include/reencrypt-vault-key.yml
      vars:
        vault_id: super

--- a/playbooks/tasks/sync-ssh-hostkeys.yml
+++ b/playbooks/tasks/sync-ssh-hostkeys.yml
- name: fetch ssh hostkeys
+- name: Fetch ssh hostkeys
  hosts: all
  gather_facts: false
  tasks:
-    - name: fetch hostkey checksums
+    - name: Fetch hostkey checksums
      shell: |
        for type in sha256 md5; do
          for file in /etc/ssh/ssh_host_*.pub; do
@@ -13,7 +13,7 @@
      register: ssh_hostkeys
      changed_when: ssh_hostkeys | length > 0

-    - name: fetch known_hosts
+    - name: Fetch known_hosts
      shell: |
        set -eo pipefail
        ssh-keyscan 127.0.0.1 2>/dev/null \
@@ -26,10 +26,10 @@
      register: known_hosts
      changed_when: known_hosts | length > 0

- name: store hostkeys
+- name: Store hostkeys
  hosts: localhost
  tasks:
-    - name: store hostkeys
+    - name: Store hostkeys
      copy:
        dest: "{{ playbook_dir }}/../../docs/ssh-hostkeys.txt"
        content: |
@@ -40,7 +40,7 @@
          {% endfor %}
        mode: preserve

-    - name: store known_hosts
+    - name: Store known_hosts
      blockinfile:
        path: "{{ playbook_dir }}/../../docs/ssh-known_hosts.txt"
        block: |
@@ -51,9 +51,9 @@

          {% endfor %}

- name: upload known_hosts to all nodes
+- name: Upload known_hosts to all nodes
  hosts: all
  tasks:
-    - name: upload known_hosts
+    - name: Upload known_hosts
      copy: dest=/etc/ssh/ssh_known_hosts src="{{ playbook_dir }}/../../docs/ssh-known_hosts.txt" owner=root group=root mode=0644
      tags: ['upload-known-hosts']
--- a/playbooks/tasks/upgrade-servers.yml
+++ b/playbooks/tasks/upgrade-servers.yml
- name: upgrade and reboot all hetzner servers
+- name: Upgrade and reboot all hetzner servers
  hosts: all,!kape_servers,!equinix_metal
  max_fail_percentage: 0
  serial: 20%
  gather_facts: false

  tasks:
-    - name: upgrade each host in this batch
+    - name: Upgrade each host in this batch
      include_tasks: include/upgrade-server.yml

- name: upgrade and reboot all Kape and Equinix Metal servers
+- name: Upgrade and reboot all Kape and Equinix Metal servers
  hosts: kape_servers,equinix_metal
  max_fail_percentage: 0
  serial: 1
  gather_facts: false

  tasks:
-    - name: upgrade each host in this batch
+    - name: Upgrade each host in this batch
      include_tasks: include/upgrade-server.yml
--- a/playbooks/wiki.archlinux.org.yml
+++ b/playbooks/wiki.archlinux.org.yml
- name: setup wiki.archlinux.org
+- name: Setup wiki.archlinux.org
  hosts: wiki.archlinux.org
  remote_user: root
  roles:

--- a/pubkeys/aginiewicz.pub
+++ b/pubkeys/aginiewicz.pub
-ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAnWeaxKzhumh6bRVaB9gy9Sy3XPlDa9dy1v3lwQQ+3dEHtmukirk1DX4jzLdpJcwwxFL0y1OLdH0/qbDdz1Dqdk8JvjogPQf82QflV14NyLiIilLsA6gETkiuQ7Y/r+7edzqS+bzZJqucw8BSqv7jxoXOL3nJ3G12dkqSW2HUGIQobRolOH1JcXkJg86UIs1Plli48/ptjsd8WiLYWVJsW0538KVsoHHSvOfNv1bjYVLTdYdegdpfwebPOkDj6V4wfhoGZDSCwhXJtLYaXXi41m50seMpelQn2puCwntfPIlcIKv2/5UT9TOnGoVE5LmBtJRCgqKS9EQTQo+392Y4fQ== giniu@raven3
--- a/pubkeys/blakkheim.pub
+++ b/pubkeys/blakkheim.pub
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDilqpO7lsrLwNYc4D3UELkJaXDW4iFxJ/+ifQ8i9+kH
--- a/pubkeys/klausenbusk.pub
+++ b/pubkeys/klausenbusk.pub
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDwrC+miAaggiArz1d1QFMpEk8DTKymDIK4I8VagaZ8f+DUse5+ScxWt2xA+mgk5kDkjvnByCxa5mbuUuWJjAGu1e/TomRO6sKtbJyOwtWxlAzE4SuzE/V5g7obmhTcR5J8m81+mDsMWb+4/ac72/NRyhy9Dnqt/JJybskuEjYTE9GkBq5KV6xveAVVoTjwIE/L8MlCGzvUD4QsalcizkG1xfsI7aeRLonXvwv7Jw/uLTI6Z/Oa4alrip+RWpXQSPBoA6wpAASR41qR8QFiD5kN6aGRv3xqJNPdSfNc1mpkNDVKAeRJnFj5tzOEdaHHSkmB45SbjQk/ZtVlmBIv+3HAPIML01DHc3dger1Po/c2vHg3hxI0ve3rxio5ni4IN/54NUgNqBRBz3gZy6PSyt8HtUfuJzNwZRLdempG+KF1Rk9OHiW7hrokPHYDJWwQmG3x7WTgZxxZy5ou6SCLeE71xspeAHUT4h0Lujpdy5gC6E0TPsH6Z78Qt0O5cVIlZIBqxMwDs6SVtULnKR0K1tDEcX2TlZNGTwkWToq2KZMcj2c5ltTxgmscvhB3RHYIyRLthB6JocHChyD06kVfNDQhckNXwpi+9HCm3fz55O88kn/Mcnirr3etM6mb3Zp8DhX/2IZKLQWe5zr505XkNPVpL7CIBM/iG7fBC8qShj+dGw== klausenbusk
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCdl/+AxYj/qY/d8gUowSP1hNc2iU4jiTm0o+HkfqLzew6iRDGn9ZvIXkpKbrtG0sPwda/d4It2ykmcKj7i72vFmQ3ez44y1laA8Sr85GT3aedXiBDiPXf7v4p2Otkhd/P++5bfvmbNc7cE4JKKwenDArWI08LANiHKXE2QyU4CWHivLAPxNs5IHFKnj3j/MDAhRa4ViyITTXBwmqhxlQ+MguGKaX14NsGzZTIuRJG28GhBzJR+SRSh4Me/MRchYkIn+2C43CC7ykbGyoy7JadCKte4GwjN0Eg8syKDC2FgH3i1Df19OwqIUz23YYMW9nNz+vIOeTPGRjy87vhTUNB4G+NN9UbLFlYhGsjMqZn6ZXk6kXNFwgty23mq7PpygdSxE5mSili9P1e0dprjLSUPrlfBrUBZ5IDFzoWiIUlqPDDx3Li8zAXrAMGnLMjDa/hLyoNJKXuD4cnoiTxDfDjid59/EV5dC8QB82XvaYj1fnTdt3Wm93sIJfUzSmxPn6BdswPndjJu2HIkP+YFO+gXLviDnFf86e19sTN2geew8+PnKj1y4S1JPL8FIbK41zUUxXh7qNBPR+FHO33HfipDQ/dJPUVJD7b+2wHwFkxvZUkT81blMOPEfTUGtYLlazEyO/2QafENp2Uuj5tXyfsRUxDVjFtaj2+7adNxCZ8w0Q== klausenbusk_2
--- a/pubkeys/klausenbusk_2.pub
+++ b/pubkeys/klausenbusk_2.pub
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCdl/+AxYj/qY/d8gUowSP1hNc2iU4jiTm0o+HkfqLzew6iRDGn9ZvIXkpKbrtG0sPwda/d4It2ykmcKj7i72vFmQ3ez44y1laA8Sr85GT3aedXiBDiPXf7v4p2Otkhd/P++5bfvmbNc7cE4JKKwenDArWI08LANiHKXE2QyU4CWHivLAPxNs5IHFKnj3j/MDAhRa4ViyITTXBwmqhxlQ+MguGKaX14NsGzZTIuRJG28GhBzJR+SRSh4Me/MRchYkIn+2C43CC7ykbGyoy7JadCKte4GwjN0Eg8syKDC2FgH3i1Df19OwqIUz23YYMW9nNz+vIOeTPGRjy87vhTUNB4G+NN9UbLFlYhGsjMqZn6ZXk6kXNFwgty23mq7PpygdSxE5mSili9P1e0dprjLSUPrlfBrUBZ5IDFzoWiIUlqPDDx3Li8zAXrAMGnLMjDa/hLyoNJKXuD4cnoiTxDfDjid59/EV5dC8QB82XvaYj1fnTdt3Wm93sIJfUzSmxPn6BdswPndjJu2HIkP+YFO+gXLviDnFf86e19sTN2geew8+PnKj1y4S1JPL8FIbK41zUUxXh7qNBPR+FHO33HfipDQ/dJPUVJD7b+2wHwFkxvZUkT81blMOPEfTUGtYLlazEyO/2QafENp2Uuj5tXyfsRUxDVjFtaj2+7adNxCZ8w0Q== klausenbusk_2
--- a/pubkeys/serebit.pub
+++ b/pubkeys/serebit.pub
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDF32tlSDr0Ze6owld0p8LCwFT4ttwy99qfDERX/Ntlqobtr9AsZx4FMHToLwhehJuhpj3hzmlmHtRyqF1HnTd6Jrxk8jTmqYej7QpOIZSEmkYwUZK8optnWFIQ/Ce+t5InkJG/FoexXTXEOCegVdZmCyS7Rxr2Nt6v9EDAhYXb9strKROVYy0G5rNisu9aLPqTLEcpbHWnOwHjFuIzivsCq7klqiYYjNruFtH53QEHRKWJhwrrW1AHGQQz3N3nZ/9bV/CvOfC4OZw5CQB4ewDEnYOoMwsQBhlflY2gNDqwcFlC42XIVe+ZD/vL0XNtK+2EK0wmihwEyhieZ8CmoOl/PLxdez9Ipc+Bu5yVDqkIAl4F58Ct55l+21aRVeQEoCxR/3+TJQicwHIurpCftL/g0WF16qnrJ1kcZwSyUi1UO0krBeczrkpjz2gG+Cf/NunLYCn5aXDJ+fJ8QOP8JrG9zQfLMsXiszZv4ICxI5iQDOCAz6r3cHtZCThJJy53FQc=
--- a/pubkeys/tensor5.pub
+++ b/pubkeys/tensor5.pub
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCQM94mC1F77g9DB1wqmbqSpgKpk8x53e2lowqMQEWkOT4LhzSI96QY9Jbrt8AA0RjzckLPtbNTRkivWrKdghFCKsFGk4+xI+g3i7BxXpYMKrpgE6euPEFIQlcjlIQodFUu8YSBWgJKprp7exD0dBs008NzgSam6ImLrQn9iZPB6++FiNQiTNnCfHhqtiXNbTbIxjzQTG1nFRWqc47I0Fwa8hRwU7nUAunS7W+Y2pBE3bVf2q+r0l1RjkUBBt7UsP9EHkJ1SajrFmKrGs8f+t0LxupaW3tfjAnAQOQS1+/oxqI+GLVkXSXbwSi+8J9txd69gXRTGDNJ5bffLPUbGcb Trusted User
--- a/roles/acme_dns_challenge/handlers/main.yml
+++ b/roles/acme_dns_challenge/handlers/main.yml
- name: restart powerdns
+- name: Restart powerdns
  service: name=pdns state=restarted
No results found